Embed Size (px)
Citation preview
Enterprise Risk Management White Paper
1. Introduction
This white paper introduces Enterprise Wide Risk Management (EWRM) as a product, outlines the
business drivers surrounding enterprise wide risk management (EWRM), explains the differences
between enterprise and traditional risk management, defines an EWRM program, and explains its
benefits.
The type, scope, and frequency of both internal and external risks facing companies today have
increased significantly. To meet business objectives, business leaders must now address new and
different forms of business risks. Many factors contribute to most companies’ changing risk profile,
including changes in strategies and operations and increased risk from their external environment.
Global conglomerates increasingly dominate today’s ever-changing market. To compete, companies
need to be fast and nimble. Business leaders must continuously adapt strategies and operations
and introduce new initiatives to meet these competitive business challenges. However, without an
appropriate risk management program, these could expose companies to additional and increased
risks. For example, new product initiatives can increase exposure to commodity price volatility,
market risks, and additional product liability lawsuits. New acquisitions can expose a company to
increased political and business risks.
Changes to a company’s external environment represent another reason for an increased risk
profile. Most businesses today are rapidly transforming due to technological advances, more
sophisticated business processes – such as outsourcing – changing consumer preferences, more
efficient manufacturing methods, and globalization. The result is increased competition, shortened
product lifecycles, and decreased margins. From a risk perspective, the result is increased exposure
to new and more serious business and operational risks.
The message to management and boards of directors of both public and private companies is clear
– the bar has been raised; for public companies earnings surprises are not acceptable. It is the
responsibility of the leadership team to ensure that rigorous internal control and risk management
1
policies, practices, and procedures are in place to ensure accurate financial reporting.
There are several reasons why this change is occurring now:
Outsiders are pushing companies to manage risk more comprehensively and systematically.
Investors are becoming more sensitive to any deviation from earnings estimates,
encouraging companies to address the causes of earnings volatility.
Shareholders are increasingly holding boards of directors and senior executives to higher
accountability standards especially on the backdrop of the recent global economic
meltdown.
The continuing convergence of the traditional capital and insurance markets is yielding
innovative approaches to managing emerging risks.
Many companies perceive a rise in the number and severity of the risks they face.
Today’s business leaders need to understand that increased risk is the price to pay for change and
progress. However, there is a difference between taking a chance and taking a risk. In taking a
chance, the outcomes are uncertain because it is done without foresight or knowledge. In risk
taking, the down side outcomes can be controlled, if conducted within the proper risk management
structure.
2. The Traditional Approach to Risk Management
Risk is the level of exposure, both known and unknown, to market uncertainties that the
organization must understand, identify and effectively manage as it executes its strategies to
successfully achieve its business objectives. In order for most companies to meet their goals and
objectives, they must face new challenges and take greater risks. However, if the risk management
process is flawed, a company will suffer in the competitive marketplace.
Traditionally, companies adapted a siloed approach to risk management. Responsibility for
managing various types of risks was assigned to the business or functional unit with the greatest
exposure. Business risk was assigned to the operating units; insurable or transferable risk to the
Corporate Risk Management Department; financial risks (market, interest rate, etc.) to Treasury;
2
and compliance risk to Legal. Companies focused primarily on easily measurable risks. Ill-defined
or ambiguous risks, such as strategic and operational risks, were often not coordinated or were
overlooked. The risk management strategy for the individual risk was usually tacked onto existing
business processes without a uniform approach or a common risk language.
3. Enterprise-wide Risk Management
Enterprise-wide Risk Management (EWRM) is the means of applying active risk management to all
the risks facing an organization. A recent survey conducted by The Economist Intelligence Unit and
MMC Enterprise Risk found that 41% of companies have some form of EWRM. The survey also
found that companies using EWRM are more confident in their ability to manage risk.
In the wake of the global economic meltdown, corporate scandals, earnings surprises, and the loss
of consumer confidence, more companies recognize the deficiencies of the traditional approach to
managing risk. They now are turning to EWRM solutions to better prepare them for the new
challenges and uncertainties emerging in today’s changing environment.
EWRM is a disciplined and integrated approach that supports the alignment of strategy, process,
people, and technology, and allows corporations to identify, prioritize, and effectively manage their
critical risks. By understanding all risks in an integrated framework, companies can execute proper
strategies to successfully achieve their objectives and to meet their performance goals. It allows
companies to identify the risks they can:
Transfer through insurance or hedging programs;
Accept as is;
Reduce through rigorous management practices; or
Simply reject by eliminating a process, a product, or a geographical zone.
An EWRM approach is anticipatory and proactive. It provides a process to actively support the
realization of the company’s strategic objectives. It is not an obstacle to taking risk. On the contrary,
it allows companies to assume additional risks as part of a rigorous, well-defined framework. After
3
implementing an EWRM approach, management fully understands all critical risks and how they
can be proactively managed. It provides them with tools and techniques to balance realistically the
risk/return trade-offs and to seize quickly the market opportunities. A fully implemented EWRM is
not a just a process for expanded corporate governance, but it also provides an opportunity for
utilizing risk as a competitive advantage in the marketplace. With EWRM, companies can effectively
utilize risk as a competitive weapon, and not view it as a threat. The following chart clearly
illustrates the differences between the traditional approach to risk management and EWRM:
A common misconception is that EWRM transfers the responsibility for risk from the line managers
to a centralized, bureaucratic unit. In fact, the opposite is true. A universal principle of EWRM is
that risk must be managed by the business unit that incurs it. A properly functioning EWRM
insures that the line managers understand their risk management responsibilities, are given the
tools to manage the risk effectively, and are compensated based upon the success of their efforts.
An effective EWRM program should have three long-term objectives:
Optimize the costs and efficiencies of risk management programs. The new program should
eliminate unnecessary controls, consolidate mitigation programs across all functions, and
focus risk transfer and financing activities.
Improve business performance. The new program will better align risk programs with
strategic objectives, provide more accurate measurement and monitoring techniques, and
reduce the volatility of outcomes.
Establish a sustainable competitive advantage. It will give managers the tools and processes
to identify favorable risk taking opportunities and to quickly pursue them.
4. Implementing an EWRM Process
To succeed, EWRM must have the full support of company leadership and management. To ensure
broad management support, an Implementation Team, composed of managers from all functional
areas across the organization, is formed with responsibility for establishing EWRM within an
organization. During each phase of the EWRM development, the Implementation Team will make
specific recommendations to a Risk Management Committee, which will be composed of the senior
4
managers with direct responsibilities for managing each of the key risks. Once EWRM is
implemented, the Risk Management Committee will be responsible for the ongoing supervision of
EWRM activities. EWRM implementation phases include:
Assessment Phase: The Implementation Team and selected senior managers work together
in a series of facilitated sessions to identify and prioritize the critical risks facing an
organization. A common vocabulary should be developed in order to ensure that
management and staff use the same terms in describing risks and opportunities.
Design Phase: Based upon the prioritized risks and the facilitated sessions, the
Implementation Team will design an EWRM framework that will include the roles and
responsibilities for management throughout the company, the organizational and reporting
structure, and the program’s policies and procedures. The risk plan must be aligned with the
organization’s business strategies and objectives.
Implementation Phase: During the implementation phase, the principle elements identified
in the Assessment and Design Phases are institutionalized.
Improvement Phase: As the process begins, additional risk areas will be discovered that
should be included, along with better ways of managing the process.
5. Benefits of EWRM
As a result of implementing an EWRM program, senior management can expect the following
benefits:
Improved Risk Assessment: An EWRM solution will provide an organization with a means
to understand, identify and prioritize risks. Through risk mapping, management will have a
better knowledge of its critical risks and their potential impact on the company. It will be
better prepared to manage its risks and maximize its opportunities within the acquisition,
product, and funding programs.
Increased Risk Awareness: Because associates will have a common language for describing
risks and its potential effects, staff will be better equipped to monitor potential risks and
opportunities. The company will be able to address uncertainties in a timely fashion before
challenges, such as class action lawsuits, explode and disrupt business.
5
Reduced Number of Risk Incidents: An integrated EWRM process will reduce the number
of risk incidents because management will be better equipped to handle emerging
challenges.
Reduction in Cost of Capital: With an effective EWRM process in place, an organization can
allocate fewer resources to risk incidents. Efficiency will increase, and therefore, less capital
will be needed to monitor and manage risks. Increased efficiency may provide the
opportunity to positively impact earnings.
Improvement in Risk Measures: Management will have more quantifiable measures of risk
exposures, because an EWRM process requires more rigorous management oversight. This
will result in better pricing and capital allocation decisions.
Increased Competitive Advantage: A company using EWRM will maintain a competitive
edge. It will be better equipped to handle challenges in a changing environment. By
proactively monitoring risks, there will be fewer surprises and more ability to maximize
opportunities. Communication pathways will be more effective.
5. Conclusion
By integrating their risk management activities into an enterprise-wide risk management (EWRM)
framework, firms can optimize risk against return and therefore the return on capital. EWRM
integrates credit, market and operational risk with effective organization, reporting and other
support functions into a single framework to help give managers a complete picture of firm-wide
risks. EWRM can successfully integrate a company’s existing risk management process into their
business objectives and goals. Through a common risk language, managers can more effectively
communicate critical risks and strategies. EWRM provides for effective risk assessment and
management, coupled with efficient and timely reporting methods, thus enabling management
teams to reevaluate and improve practices, policies, and procedures as the environment changes.
With better management, communication, and reporting, adverse risk incidents will decrease,
while confidence in a company will increase. As a result, resources once spent offsetting risks can
be allocated to other parts of the business, thus contributing to a lower capital loss and an increase
in earnings. Under the discipline and structure of the EWRM process, organizations will mini
6
